A malicious code classification method and system

By collecting and transforming multi-source malware data, extracting static and dynamic features, and using multi-scale convolutional algorithms and pre-trained models for malware classification, the problem of insufficient accuracy and robustness in existing technologies is solved, achieving efficient and robust malware detection.

CN122153564APending Publication Date: 2026-06-05BEIJING AEROSPACE WANYUAN TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING AEROSPACE WANYUAN TECH CO LTD
Filing Date
2026-02-03
Publication Date
2026-06-05

Smart Images

  • Figure CN122153564A_ABST
    Figure CN122153564A_ABST
Patent Text Reader

Abstract

The application belongs to the technical field of network security, and particularly relates to a malicious code classification method and system, aiming to solve the problem of realizing malicious code classification with consideration of accuracy, robustness and data adaptability. The method comprises the following steps: collecting multi-source malicious code data; extracting static features and dynamic features; obtaining low-dimensional key sub-feature vectors based on the static features and the dynamic features; extracting instruction sequence features, behavior pattern features and file structure features from the low-dimensional key sub-feature vectors, and obtaining comprehensive features through weighting; calculating the comprehensive features using a convolution algorithm with different sizes of convolution kernels to obtain multiple feature maps; obtaining multi-scale feature maps based on the multiple feature maps; and using a pre-trained classification model to classify the malicious code with the multi-scale feature maps as input. The malicious code classification method and system provided by the application effectively improve the accuracy, robustness and data adaptability of the malicious code classification method.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of network security technology, specifically relating to a method and system for classifying malicious code. Background Technology

[0002] Currently, malicious code attacks have become one of the major risks to cybersecurity. The types of malicious code are constantly evolving, and attack methods are becoming more diversified, covert, and variant, posing a serious challenge to the stable operation of information systems and data security. Therefore, how to efficiently and accurately detect and classify malicious code in order to promptly discover and curb malicious code attacks has become a core technical problem that urgently needs to be solved in the field of cybersecurity.

[0003] Currently, existing malware classification methods mainly fall into two categories: traditional classification methods and machine learning-based classification methods. Traditional malware classification methods primarily rely on signature-based antivirus software and heuristic analysis. The former uses a predefined database of malware signatures for matching and detection, while the latter uses a rule base of malicious behavior to determine whether the code exhibits suspicious malicious activity. However, these traditional methods have significant limitations. When faced with attacks from unknown malware or malware variants, they often struggle to classify effectively due to a lack of generalization ability to unknown features and variant patterns.

[0004] In recent years, machine learning technology has been widely used and made some progress in the field of malware detection, partially alleviating the problem of insufficient generalization ability of traditional methods. However, existing machine learning-based malware detection methods still have significant technical shortcomings and are difficult to meet the needs of malware detection in complex network environments. Specific shortcomings are as follows:

[0005] First, feature capture is incomplete, resulting in insufficient detection accuracy. Existing machine learning models typically rely on features of a single type of malware for training, such as using only static features like instruction sequences or only dynamic features like behavioral patterns. This makes it difficult to comprehensively capture the diverse characteristics of malware. A single feature cannot fully characterize the core attributes of malware, leading to insufficient model discrimination against malware and difficulty in further improving classification accuracy.

[0006] Second, the model has poor robustness and weak resistance to attacks. Existing machine learning models are not strong enough to resist adversarial attacks and are easily interfered with in complex network environments, which leads to a significant drop in model classification performance and makes it difficult to effectively deal with variant and covert malicious code attacks.

[0007] Third, insufficient data processing capabilities and poor adaptability. Malicious code data usually comes from different operating platforms and network environments, and the data distribution is heterogeneous, which will form data silos. Traditional centralized machine learning training methods are difficult to effectively handle the above-mentioned heterogeneous data and data silo problems, resulting in incomplete coverage of model training data, further limiting generalization ability, and a decline in overall model performance.

[0008] In summary, existing malware classification methods have significant shortcomings in terms of accuracy, robustness, and data adaptability, making it difficult to effectively address the current complex and ever-changing malware threats. Therefore, there is an urgent need for a malware classification scheme that balances accuracy, robustness, and data adaptability to effectively address complex and ever-changing malware threats and improve network security protection capabilities. Summary of the Invention

[0009] To address the aforementioned technical problems in the prior art, namely how to achieve a malicious code classification that balances accuracy, robustness, and data adaptability, this application provides a malicious code classification method and system.

[0010] In a first aspect of this application, a method for classifying malicious code is provided, comprising:

[0011] Collect multi-source malware data, convert the multi-source malware data into a unified format, and obtain standardized malware data;

[0012] Extract static features from the standardized malicious code data, including instruction flow features, structural features, and code pattern features;

[0013] Extract the dynamic features of the standardized malicious code data, where the dynamic features are the behavioral characteristics of the standardized malicious code data when running in a sandbox.

[0014] Based on the static and dynamic features, a high-dimensional feature vector is obtained;

[0015] Key sub-feature vectors are selected from the high-dimensional feature vectors, and the dimensionality of the key sub-feature vectors is reduced to obtain low-dimensional key sub-feature vectors.

[0016] Instruction sequence features, behavior pattern features, and file structure features are extracted from the low-dimensional key sub-feature vectors, and a weighted sum of the instruction sequence features, behavior pattern features, and file structure features is calculated to obtain a comprehensive feature.

[0017] The comprehensive features are convolved using N convolution algorithms to obtain N feature maps, and the kernel sizes of the N convolution algorithms are all different.

[0018] A multi-scale feature map is obtained based on the N feature maps;

[0019] Using the multi-scale feature map as input, a pre-trained classification model is used to classify malicious code.

[0020] Optionally, extracting the static features of the standardized malicious code data includes:

[0021] Code segment data is extracted from the standardized malicious code data, the code segment data is disassembled to obtain an opcode sequence, and an instruction stream feature vector is obtained based on the opcode sequence;

[0022] The standardized malicious code data is parsed to obtain multiple segment data, the structural parameters of each segment data are calculated, and a structural feature vector is obtained based on the structural parameters. The structural parameters include size, entropy value and structural integrity parameter. The multiple segment data includes PE file header, segment table, import table and export table.

[0023] The standardized malicious code data is divided into multiple basic blocks. Based on the statistical and classification features of the multiple basic blocks, a code feature vector is generated. Each basic block has only one entry point and only one exit point.

[0024] The instruction flow feature vector, the structure feature vector, and the code feature vector are normalized, and the normalized instruction flow feature vector, the structure feature vector, and the code feature vector are concatenated to form the static feature.

[0025] Optionally, extracting the dynamic features of the standardized malicious code data includes:

[0026] The standardized malicious code data is run in a sandbox, and various running behaviors of the standardized malicious code data are monitored to obtain the first frequency statistical characteristics, the first n-gram sequence characteristics, and the first behavior type distribution characteristics of the various running behaviors. The running behaviors include API call behavior, system call behavior, memory allocation behavior, file and registry operation behavior, and network communication behavior.

[0027] The first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature are normalized, and the normalized first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature are concatenated to form the dynamic feature.

[0028] Optionally, obtaining the high-dimensional feature vector based on the static and dynamic features includes:

[0029] The static features and the dynamic features are vectorized respectively to obtain static feature vector S and dynamic feature vector D, and the high-dimensional feature vector... ,in and These are the preset weighting coefficients.

[0030] Optionally, the step of filtering key sub-feature vectors from the high-dimensional feature vector includes:

[0031] Calculate the statistical correlation index between each feature dimension in the high-dimensional feature vector and the corresponding sample category label, and calculate the feature importance value of each feature dimension based on the pre-trained tree model;

[0032] ;

[0033] in, Let i be the feature importance value of the i-th feature. The statistical correlation index represents the relationship between the i-th feature and its corresponding sample category label. This statistical correlation index is a weighted sum of the mutual information, information gain, variance, and chi-square statistic between the i-th feature and its corresponding sample category label. This represents the feature value of the i-th dimension in the pre-trained tree model. and These are pre-set weighting coefficients;

[0034] Based on the feature importance value, each feature dimension is sorted, and the features ranked in the top q positions are selected and concatenated to form the sub-feature vector, where q is preset.

[0035] Calculate the representative score of the sub-feature vector. ,in, and The preset weighting coefficients and information content The sum of the Shannon entropy values ​​of each dimension of the sub-feature vector, representing the classification correlation. The mutual information between the sub-feature vector and the sample category label;

[0036] Select the sub-feature vectors whose representative scores are greater than or equal to a preset threshold as key sub-feature vectors.

[0037] Optionally, the malicious code classification method uses principal component analysis to reduce the dimensionality of the key sub-feature vectors to obtain low-dimensional key sub-feature vectors.

[0038] Optionally, extracting instruction sequence features from the low-dimensional key feature vector includes:

[0039] The target program is extracted from the low-dimensional key feature vector; the target program is disassembled to obtain the instruction sequence;

[0040] For each instruction sequence, the opcode and operand type information are extracted from the instruction sequence, the frequency of the opcode is counted and the instruction n-gram sequence is obtained, and the frequency of the opcode and the instruction n-gram sequence are encoded into a fixed-dimensional numerical vector as the feature of the candidate instruction sequence.

[0041] Calculate the importance score of the features of the candidate instruction sequence. ,in, and Given preset weight coefficients, the sequence complexity is... The frequency distribution entropy value of the opcode, and the mode discrimination degree. The sum of the distances between the candidate instruction sequence features and other candidate instruction sequence features;

[0042] Select the candidate instruction sequence features whose importance score is greater than or equal to a preset threshold as the instruction sequence features.

[0043] Optionally, extracting behavioral pattern features from the low-dimensional key feature vector includes:

[0044] The low-dimensional key feature vector is run in a sandbox, and the various running behaviors of the low-dimensional key feature vector are monitored to obtain the second frequency statistical features, the second n-gram sequence features and the second behavior type distribution features of each running behavior. The running behaviors include file operation behavior, registry modification behavior, process management behavior, memory allocation behavior and network communication behavior.

[0045] For each running behavior, the second frequency statistical feature, the second n-gram sequence feature, and the second behavior type distribution feature are normalized, and the normalized second frequency statistical feature, the second n-gram sequence feature, and the second behavior type distribution feature are concatenated to form the candidate behavior pattern feature;

[0046] Calculate the pattern feature score of the candidate behavior pattern features. ,in, and The preset weighting coefficients represent the frequency of actions. The normalized number of times the described behavior occurs within a preset time window. The hazard level is a preset level based on expert annotations;

[0047] Select the candidate behavioral pattern features whose pattern feature scores are greater than or equal to a preset threshold as the behavioral pattern features.

[0048] Optionally, extracting file structure features from the low-dimensional key sub-feature vector includes:

[0049] The low-dimensional key feature vector is parsed to obtain the PE file header information. The numerical attributes of the sections of the PE file header information are extracted. The numerical attributes include the number, size, entropy value and the number of high-risk APIs. The candidate file structure features are formed based on the numerical attributes.

[0050] Calculate the feature score of the structural features of the candidate files. ,in, and The weighting coefficients are preset, and the structural complexity is... The entropy of the PE file structure, It is the degree of deviation between the structural features of the candidate file and those of normal samples;

[0051] The candidate file structure features whose feature scores are greater than or equal to a preset threshold are selected as the file structure features.

[0052] Optionally, obtaining the multi-scale feature map based on the N feature maps includes:

[0053] The N feature maps are normalized so that the scale and distribution of the N feature maps are the same;

[0054] The activation function is used to calculate the N normalized feature maps to obtain N intermediate feature maps;

[0055] The N intermediate feature maps are pooled to obtain N pooled feature maps;

[0056] Calculate the weighted sum of the N pooling feature maps. The multi-scale feature map is obtained, wherein, For the i-th pooling feature map, This is the i-th preset weight coefficient.

[0057] Optionally, the malicious code classification method further includes training the classification model using a training set, wherein training the classification model includes:

[0058] The multi-scale feature map of the malware sample data in the training set is calculated, and the multi-scale feature map of the malware sample data is used as the input of the classification model, with a loss function... Minimize the target value to train the bandit model, where, Let M be the true classification label of the j-th malicious code sample data, and M be the number of malicious code sample data. This is the multi-scale feature map corresponding to the j-th malware sample data. This indicates that the multi-scale feature map After inputting the classification model, the obtained prediction output value is the probability that the malicious code sample data belongs to the malicious code category. These represent the weights and biases of the convolutional neural network in the classification model.

[0059] Optionally, the malicious code classification method further includes:

[0060] Adversarial sample data is generated based on the malicious code sample data in the training set, and the multi-scale feature map of the adversarial sample data... ,in, The multi-scale feature map of the malicious code sample data. ,in, The preset disturbance intensity, for gradient, y is the true classification label of the malicious code sample data. The output function of the classification model;

[0061] The adversarial sample data is added to the training set to obtain a comprehensive training set, which is then used to train the classification model.

[0062] Optionally, training the classification model using the comprehensive training set includes:

[0063] Computational fusion of multi-scale features ,in, and The preset weighting coefficients are used to fuse the multi-scale features. The classification model is trained by using the input of the input.

[0064] Optionally, the malicious code classification method further includes:

[0065] The perturbation intensity is adjusted based on the generalization ability score of the classification model to obtain a new perturbation intensity, and the generalization ability score is... ,in, and The preset weighting coefficients determine the classification accuracy. robustness against ;

[0066] The adversarial sample data is regenerated using the new perturbation intensity, and then added to the training set to obtain a comprehensive training set. The classification model is then trained using the comprehensive training set.

[0067] In a second aspect of this application, a malicious code classification system is provided, the system comprising:

[0068] The acquisition module is used to collect multi-source malicious code data and convert the multi-source malicious code data into a unified format to obtain standardized malicious code data.

[0069] A static feature extraction module is used to extract static features from the standardized malicious code data, wherein the static features include instruction flow features, structural features, and code pattern features.

[0070] The dynamic feature extraction module extracts the dynamic features of the standardized malicious code data, wherein the dynamic features are the behavioral characteristics of the standardized malicious code data when running in the sandbox.

[0071] A high-dimensional feature acquisition module is used to obtain a high-dimensional feature vector based on the static and dynamic features;

[0072] The key feature acquisition module filters out key sub-feature vectors from the high-dimensional feature vectors and reduces the dimensionality of the key sub-feature vectors to obtain low-dimensional key sub-feature vectors.

[0073] The key feature parsing module is used to extract instruction sequence features, behavior pattern features, and file structure features from the low-dimensional key sub-feature vectors.

[0074] The feature synthesis module is used to calculate the weighted sum of the instruction sequence features, the behavior pattern features, and the file structure features to obtain the synthesized features;

[0075] A multi-scale convolution module is used to perform convolution calculations on the comprehensive features using N convolution algorithms to obtain N feature maps, wherein the convolution kernel sizes of the N convolution algorithms are all different;

[0076] A multi-scale fusion module is used to obtain a multi-scale feature map based on the N feature maps;

[0077] The classification module is used to classify malicious code using a pre-trained classification model, taking the multi-scale feature map as input.

[0078] Optionally, the static feature extraction module is specifically used for:

[0079] Code segment data is extracted from the standardized malicious code data, the code segment data is disassembled to obtain an opcode sequence, and an instruction stream feature vector is obtained based on the opcode sequence;

[0080] The standardized malicious code data is parsed to obtain multiple segment data, the structural parameters of each segment data are calculated, and a structural feature vector is obtained based on the structural parameters. The structural parameters include size, entropy value and structural integrity parameter. The multiple segment data includes PE file header, segment table, import table and export table.

[0081] The standardized malicious code data is divided into multiple basic blocks. Based on the statistical and classification features of the multiple basic blocks, a code feature vector is generated. Each basic block has only one entry point and only one exit point.

[0082] The instruction flow feature vector, the structure feature vector, and the code feature vector are normalized, and the normalized instruction flow feature vector, the structure feature vector, and the code feature vector are concatenated to form the static feature.

[0083] Optionally, the dynamic feature extraction module is specifically used for:

[0084] The standardized malicious code data is run in a sandbox, and various running behaviors of the standardized malicious code data are monitored to obtain the first frequency statistical characteristics, the first n-gram sequence characteristics, and the first behavior type distribution characteristics of the various running behaviors. The running behaviors include API call behavior, system call behavior, memory allocation behavior, file and registry operation behavior, and network communication behavior.

[0085] The first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature are normalized, and the normalized first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature are concatenated to form the dynamic feature.

[0086] Optionally, the high-dimensional feature acquisition module is specifically used for:

[0087] The static features and the dynamic features are vectorized respectively to obtain static feature vector S and dynamic feature vector D, and the high-dimensional feature vector... ,in and These are the preset weighting coefficients.

[0088] Optionally, the key feature acquisition module is specifically used for:

[0089] Calculate the statistical correlation index between each feature dimension in the high-dimensional feature vector and the corresponding sample category label, and calculate the feature importance value of each feature dimension based on the pre-trained tree model;

[0090] ;

[0091] in, Let i be the feature importance value of the i-th feature. The statistical correlation index represents the relationship between the i-th feature and its corresponding sample category label. This statistical correlation index is a weighted sum of the mutual information, information gain, variance, and chi-square statistic between the i-th feature and its corresponding sample category label. This represents the feature value of the i-th dimension in the pre-trained tree model. and These are pre-set weighting coefficients;

[0092] Based on the feature importance value, each feature dimension is sorted, and the features ranked in the top q positions are selected and concatenated to form the sub-feature vector, where q is preset.

[0093] Calculate the representative score of the sub-feature vector. ,in, and The preset weighting coefficients and information content The sum of the Shannon entropy values ​​of each dimension of the sub-feature vector, representing the classification correlation. The mutual information between the sub-feature vector and the sample category label;

[0094] Select the sub-feature vectors whose representative scores are greater than or equal to a preset threshold as key sub-feature vectors;

[0095] The key feature vector is reduced in dimensionality to obtain a low-dimensional key feature vector.

[0096] Optionally, the key feature parsing module includes:

[0097] The instruction sequence feature extraction submodule is used to extract instruction sequence features from the low-dimensional key sub-feature vector;

[0098] A behavior pattern feature extraction submodule is used to extract behavior pattern features from the low-dimensional key sub-feature vector; and,

[0099] The file structure feature extraction submodule is used to extract file structure features from the low-dimensional key sub-feature vector.

[0100] Optionally, the instruction sequence feature extraction submodule is specifically used for:

[0101] The target program is extracted from the low-dimensional key feature vector; the target program is disassembled to obtain the instruction sequence;

[0102] For each instruction sequence, the opcode and operand type information are extracted from the instruction sequence, the frequency of the opcode is counted and the instruction n-gram sequence is obtained, and the frequency of the opcode and the instruction n-gram sequence are encoded into a fixed-dimensional numerical vector as the feature of the candidate instruction sequence.

[0103] Calculate the importance score of the features of the candidate instruction sequence. ,in, and Given preset weight coefficients, the sequence complexity is... The frequency distribution entropy value of the opcode, and the mode discrimination degree. The sum of the distances between the candidate instruction sequence features and other candidate instruction sequence features;

[0104] Select the candidate instruction sequence features whose importance score is greater than or equal to a preset threshold as the instruction sequence features.

[0105] Optionally, the behavior pattern feature extraction submodule is specifically used for:

[0106] The low-dimensional key feature vector is run in a sandbox, and the various running behaviors of the low-dimensional key feature vector are monitored to obtain the second frequency statistical features, the second n-gram sequence features and the second behavior type distribution features of each running behavior. The running behaviors include file operation behavior, registry modification behavior, process management behavior, memory allocation behavior and network communication behavior.

[0107] For each running behavior, the second frequency statistical feature, the second n-gram sequence feature, and the second behavior type distribution feature are normalized, and the normalized second frequency statistical feature, the second n-gram sequence feature, and the second behavior type distribution feature are concatenated to form the candidate behavior pattern feature;

[0108] Calculate the pattern feature score of the candidate behavior pattern features. ,in, and The preset weighting coefficients represent the frequency of actions. The normalized number of times the described behavior occurs within a preset time window. The hazard level is a preset level based on expert annotations;

[0109] Select the candidate behavioral pattern features whose pattern feature scores are greater than or equal to a preset threshold as the behavioral pattern features.

[0110] Optionally, the file structure feature extraction submodule is specifically used for:

[0111] The low-dimensional key feature vector is parsed to obtain the PE file header information. The numerical attributes of the sections of the PE file header information are extracted. The numerical attributes include the number, size, entropy value and the number of high-risk APIs. The candidate file structure features are formed based on the numerical attributes.

[0112] Calculate the feature score of the structural features of the candidate files. ,in, and The weighting coefficients are preset, and the structural complexity is... The entropy of the PE file structure, It is the degree of deviation between the structural features of the candidate file and those of normal samples;

[0113] The candidate file structure features whose feature scores are greater than or equal to a preset threshold are selected as the file structure features.

[0114] Optionally, the multi-scale fusion module is specifically used for:

[0115] The N feature maps are normalized so that the scale and distribution of the N feature maps are the same;

[0116] The activation function is used to calculate the N normalized feature maps to obtain N intermediate feature maps;

[0117] The N intermediate feature maps are pooled to obtain N pooled feature maps;

[0118] Calculate the weighted sum of the N pooling feature maps. The multi-scale feature map is obtained, wherein, For the i-th pooling feature map, This is the i-th preset weight coefficient.

[0119] Optionally, the malicious code classification system further includes a classification model training module, used to train the classification model using a training set, wherein the classification model training module is specifically used for:

[0120] The multi-scale feature map of the malware sample data in the training set is calculated, and the multi-scale feature map of the malware sample data is used as the input of the classification model, with a loss function... Minimize the target value to train the classification model, where, Let M be the true classification label of the j-th malicious code sample data, and M be the number of malicious code sample data. This is the multi-scale feature map corresponding to the j-th malware sample data. This indicates that the multi-scale feature map After inputting the classification model, the obtained prediction output value is the probability that the malicious code sample data belongs to the malicious code category. These represent the weights and biases of the convolutional neural network in the classification model.

[0121] Optionally, the classification model training module is further configured to:

[0122] Adversarial sample data is generated based on the malicious code sample data in the training set, and the multi-scale feature map of the adversarial sample data... ,in, The multi-scale feature map of the malicious code sample data. ,in, The preset disturbance intensity, for gradient, y is the true classification label of the malicious code sample data. The output function of the classification model;

[0123] The adversarial sample data is added to the training set to obtain a comprehensive training set, which is then used to train the classification model.

[0124] Optionally, when training the classification model using the comprehensive training set, the training model is specifically used for:

[0125] Computational fusion of multi-scale features ,in, and The preset weighting coefficients are used to fuse the multi-scale features. The classification model is trained by using the input of the input.

[0126] Optionally, the classification model training module is further configured to:

[0127] The perturbation intensity is adjusted based on the generalization ability score of the classification model to obtain a new perturbation intensity, and the generalization ability score is... ,in, and The preset weighting coefficients determine the classification accuracy. robustness against ;

[0128] The adversarial sample data is regenerated using the new perturbation intensity, and then added to the training set to obtain a comprehensive training set. The classification model is then trained using the comprehensive training set.

[0129] In a third aspect of this application, an electronic device is provided, comprising:

[0130] At least one processor; and,

[0131] A memory communicatively connected to at least one of the processors; wherein,

[0132] The memory stores instructions that can be executed by the processor to implement the aforementioned malicious code classification method.

[0133] In a fourth aspect of this application, a computer-readable storage medium is provided, the computer-readable storage medium storing computer instructions for execution by the computer to implement the above-described malicious code classification method.

[0134] In a fifth aspect of this application, a computer program product containing instructions is provided, which, when executed by a computer device, cause the computer device to perform the malicious code classification method described above.

[0135] The malware classification method and system provided in this application effectively solve the problems of heterogeneous and inconsistent distribution of malware data. Through a systematic data preprocessing, feature engineering, and model training process, it accurately extracts the core features of malware, successfully achieving efficient and robust malware classification and providing reliable malware detection support for enterprises and critical infrastructure. Simultaneously, by comprehensively capturing the static and dynamic characteristics of malware, it significantly improves the accuracy and generalization ability of classification, effectively adapting to malware classification needs in different scenarios. Furthermore, by constructing a multi-scale feature extraction framework, it significantly enhances the ability to resist unknown malware and adversarial attacks. It can also be combined with a dynamic adversarial training mechanism, based on the deep integration of multi-scale feature extraction and dynamic adversarial training, thereby greatly improving the robustness of the solution and achieving efficient detection and accurate classification of malware. Compared with traditional signature-based classification methods and single-feature machine learning models, the method and system provided in this application can effectively cope with complex and ever-changing malware threats, significantly reducing the false positive and false negative rates during the detection process, and further improving the level of network security protection. Attached Figure Description

[0136] Figure 1 This is a flowchart illustrating one implementation of the malicious code classification method of this application;

[0137] Figure 2 This is a flowchart illustrating another implementation of the malicious code classification method of this application;

[0138] Figure 3 This is a structural block diagram of one implementation of the malicious code classification system of this application;

[0139] Figure 4 This is a structural block diagram of another implementation of the malicious code classification system of this application. Detailed Implementation

[0140] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description, in conjunction with the accompanying drawings and examples, further clarifies this application. It should be understood that the specific examples described herein are merely illustrative and not intended to limit the scope of this application. Furthermore, the technical features involved in the various embodiments of this application described below can be combined with each other as long as they do not conflict with each other.

[0141] The present application will now be described in detail with reference to the accompanying drawings. A first aspect of this application provides a method for classifying malicious code. Figure 1 A flowchart illustrating one implementation of the malicious code classification method of this application is shown, such as... Figure 1 As shown, the malicious code classification method of the first embodiment of this application includes:

[0142] Step S101: Collect multi-source malicious code data, convert the multi-source malicious code data into a unified format, and obtain standardized malicious code data;

[0143] Step S102: Extract the static features of the standardized malicious code data, including instruction flow features, structural features, and code pattern features;

[0144] Step S103: Extract the dynamic features of the standardized malicious code data, wherein the dynamic features are the behavioral characteristics of the standardized malicious code data when running in the sandbox;

[0145] Step S104: Based on the static and dynamic features, obtain a high-dimensional feature vector;

[0146] Step S105: Select key sub-feature vectors from the high-dimensional feature vectors and reduce the dimensionality of the key sub-feature vectors to obtain low-dimensional key sub-feature vectors;

[0147] Step S106: Extract instruction sequence features, behavior pattern features, and file structure features from the low-dimensional key feature vector, and calculate the weighted sum of the instruction sequence features, behavior pattern features, and file structure features to obtain the comprehensive features;

[0148] Step S107: Perform convolution calculations on the comprehensive features using N convolution algorithms to obtain N feature maps, wherein the kernel sizes of the N convolution algorithms are all different;

[0149] Step S108: Obtain a multi-scale feature map based on the N feature maps;

[0150] Step S109: Using the multi-scale feature map as input, perform malicious code classification using a pre-trained classification model.

[0151] Specifically, in step S101, multi-source malware data is collected. Data sources may include public virus databases, sandbox analysis platforms, or network traffic capture. This multi-source malware data can constitute a comprehensive dataset containing various malware types, ensuring the dataset covers diverse malware behaviors and characteristics. After collecting the multi-source malware data, the malware data from different sources is converted into a unified format (feature representation), such as a binary sequence, to obtain standardized malware data, eliminating the heterogeneous effects of different data formats and ensuring data processing consistency. In one possible implementation, step S101 may further include data cleaning of the collected multi-source malware data to remove duplicate samples, missing values, and invalid data to ensure data integrity and consistency. Step S101 may also include denoising the collected multi-source malware data to eliminate irrelevant noise introduced during data collection. The data cleaning and denoising can use conventional data cleaning and denoising methods, and therefore will not be elaborated further.

[0152] Step S1021: Extract code segment data from the standardized malicious code data, disassemble the code segment data to obtain an opcode sequence, and obtain an instruction stream feature vector based on the opcode sequence;

[0153] Step S1022: Parse the standardized malicious code data to obtain multiple segment data, calculate the structural parameters of each segment data, and obtain a structural feature vector based on the structural parameters. The structural parameters include size, entropy value and structural integrity parameters. The multiple segment data include PE file header, segment table, import table and export table.

[0154] Step S1023: Divide the standardized malicious code data into multiple basic blocks, and generate code feature vectors based on the statistical and classification features of the multiple basic blocks. Each basic block has only one entry point and only one exit point.

[0155] Step S1024: Normalize the instruction flow feature vector, the structure feature vector, and the code feature vector; then concatenate the normalized instruction flow feature vector, the structure feature vector, and the code feature vector to form the static feature.

[0156] Specifically, in step S102, for example, code segment location is first performed on the standardized malicious code data. Specifically, the segment table of the PE file is parsed, and segments (code segments) with the attribute "executable" are selected. The complete data of the segment is extracted from the original binary file as input for disassembly. A disassembly engine (such as Capstone or Ghidra API) is used to decompose the code segment data into instructions, filter redundant information, and retain only the opcode part (opcode sequence) in the code segment instructions. The retained and extracted opcode sequence is converted into a unified format, and then the opcode occurrence frequency, high-frequency opcode combinations (n-gram features), and instruction type distribution (such as the proportion of arithmetic operations, jumps, and memory operations) are calculated to form a fixed-dimensional statistical vector, thus obtaining the instruction flow feature vector.

[0157] Specifically, in step S102, for example, the PE file header (DOS header + NT header) is parsed to extract multiple segment data, such as ImageBase (base address), SectionAlignment (segment alignment), FileAlignment (file alignment), Subsystem (running subsystem), Import Table (IAT), and Export Table (EAT); all segment data is traversed, recording the name, VirtualSize, RawSize, VirtualAddress, and Characteristics of each segment; the Import Table (IAT) and Export Table (EAT) are parsed to count the number of imported functions, imported libraries, exported functions, and their name characteristics; the size ratio of each segment (e.g., the proportion of the .text segment to the total file size), the difference between the virtual size and the disk size (a large difference may indicate packing characteristics), etc., are calculated; the information entropy of the raw data of each segment is calculated, a high entropy value indicates that the segment data is highly random, and a low entropy value indicates that the data has strong regularity; the legality of the offsets in the Import Table and Export Table, the number of segment table entries, and the standard PE are checked. Format deviations, etc., yield structural integrity parameters; the parameters analyzed above (such as ImageBase, segment size ratio, entropy value of each segment, number of imported functions, etc.) are converted into numerical features to form a structural feature vector.

[0158] Specifically, in step S102, for example, the standardized malicious code data is divided into basic blocks. A basic block is a continuously executed sequence of instructions with only one entry point and one exit point. The code segment can be divided into multiple basic blocks using jump instructions (such as JMP, JE, JNE) and return instructions (RET) as boundaries. Each basic block is treated as a node, recording the node ID, basic block length (number of instructions), core operations (e.g., whether it contains system calls or arithmetic operations), and edge definitions are made. For example, if the exit instruction of basic block A jumps to the entry point of basic block B, a directed edge A→B is constructed, with the edge type labeled as "conditional jump," "unconditional jump," "function call," or "return." Then, the basic blocks are statistically analyzed and encoded, such as the total number of basic blocks, the average length of basic blocks, the longest / shortest length of basic blocks, the number of basic blocks containing sensitive operations (such as system calls, memory read and write), and the distribution of node degree (in-degree / out-degree), the number of loop structures, the branch density (such as the proportion of jump instructions to total instructions), and the function call depth of the control flow graph. The statistical results are converted into numerical features, and one-hot encoding is used for classification features (such as jump type) to form code feature vectors.

[0159] Specifically, in step S102, the instruction flow feature vector, structure feature vector and code feature vector obtained above are normalized (e.g., normalized to the [0,1] interval) to ensure that the dimensions of each feature vector are uniform. Then, the normalized feature vectors are concatenated according to preset rules, for example, concatenated in the order of instruction flow feature vector + structure feature vector + code feature vector to form a complete feature vector with fixed dimensions, thus obtaining static features.

[0160] Specifically, step S103 may include:

[0161] Step S1031: Run the standardized malicious code data in a sandbox, monitor various running behaviors of the standardized malicious code data, and obtain the first frequency statistical features, the first n-gram sequence features, and the first behavior type distribution features of the various running behaviors. The running behaviors include API call behavior, system call behavior, memory allocation behavior, file and registry operation behavior, and network communication behavior.

[0162] Step S1032: Normalize the first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature; then concatenate the normalized first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature to form the dynamic feature.

[0163] Specifically, in step S103, for example, standardized malicious code data is placed in a pre-built and deployed sandbox for execution. Various operational behaviors of the standardized malicious code data are monitored, such as API call behavior, system call behavior, memory allocation behavior, file and registry operation behavior, and network communication behavior. The frequency of each behavior is statistically analyzed, such as the number of occurrences, API call frequency, operation type frequency, and high-risk behavior count, to obtain the frequency statistical characteristics of each behavior (first frequency statistical characteristics). The temporal correlation of behaviors is captured. Based on API call sequences and system call sequences, combinations of n consecutive behaviors (e.g., 2-gram sequences) are extracted. All unique behaviors (such as API function names) are integer-encoded, and the n-gram combinations are hash-mapped or one-hot-encoded, transforming them into fixed-dimensional vectors to obtain n-gram sequence features (first n-gram sequence features). Various behaviors are classified, for example, into 5 major categories—API... The system calculates the proportion of each behavior type (calling, file operation, registry operation, memory operation, and network communication) to the total number of behaviors. It then further refines the proportion of sub-categories (e.g., the proportion of "write" and "delete" in file operations) to form behavior type distribution features (the first behavior type distribution feature). The frequency statistics, n-gram sequence features, and behavior type distribution features obtained above are then normalized (e.g., normalized to the [0,1] interval) to avoid the influence of numerical range differences. The normalized features are then concatenated according to preset rules, such as in the order of frequency statistics + n-gram sequence features + behavior type distribution features, forming a complete feature with fixed dimensions, resulting in dynamic features. The monitoring of sandbox operation behavior and the acquisition of each feature can use conventional methods, so they will not be elaborated upon.

[0164] Specifically, in step S104, the static and dynamic features are vectorized separately, and then a weighted sum of the two is calculated to obtain a high-dimensional feature vector. This vectorization can employ conventional vectorization methods. ,in and Here, S represents the preset weight coefficients, S is the static feature vector, and D is the dynamic feature vector. Therefore, by comprehensively capturing both the static and dynamic characteristics of malicious code, the accuracy, generalization ability, and adaptability of classification can be significantly improved.

[0165] Specifically, in step S105, key sub-feature vectors are selected from the high-dimensional feature vector using a feature selection method. Each feature of the high-dimensional feature vector originates from the attribute description of the corresponding sample. Therefore, each feature and the sample category label can be correlated one-to-one through the sample index, thereby enabling statistical analysis of the correlation between each feature and the sample category label. Specifically, in step S105, the statistical correlation index between each feature in the high-dimensional feature vector and the corresponding sample category label is calculated. The statistical correlation index is the weighted sum of mutual information, information gain, variance, and chi-square statistic between the i-th feature and the corresponding sample category label. The weight coefficients of mutual information, information gain, variance, and chi-square statistic in the weighted sum can be set empirically. Then, based on a pre-trained tree model (such as XGBoost (eXtreme Gradient Boosting) or LightGBM (Light Gradient Boosting Machine), the feature importance value of each feature is calculated. ,in, Let i be the feature importance value of the i-th feature. This represents the statistical correlation index between the i-th feature and the corresponding sample category label. This represents the feature value of the i-th dimension in the pre-trained tree model. and The weighting coefficients are pre-set; then, based on the feature importance values, each feature dimension is sorted, and the features ranked in the top q positions are selected and concatenated to form a sub-feature vector. Specifically, the features ranked in the top q positions can be concatenated in order to form the sub-feature vector, where q is pre-set; after obtaining the sub-feature vector, the representativeness score of the sub-feature vector is calculated. ,in, and The preset weighting coefficients and information content The sum of the entropy values ​​(Shannon entropy values) of each dimension of the sub-feature vector, representing the classification correlation. The mutual information between the sub-feature vector and the sample category label is calculated; sub-feature vectors with representative scores greater than or equal to a preset threshold are selected as key sub-feature vectors. Then, the key sub-feature vectors are dimensionality reduced, for example, using principal component analysis, to obtain low-dimensional key sub-feature vectors, thereby reducing computational complexity and improving classification efficiency.

[0166] Specifically, step S106 may include:

[0167] Step S1061: Extract instruction sequence features from the low-dimensional key feature vector;

[0168] Step S1062: Extract behavioral pattern features from the low-dimensional key feature vector;

[0169] Step S1063: Extract file structure features from the low-dimensional key feature vector;

[0170] Step S1064: Calculate the weighted sum of the instruction sequence features, the behavior pattern features, and the file structure features to obtain the comprehensive features.

[0171] Specifically, in step S1061, the target program in the low-dimensional key feature vector is disassembled to obtain the instruction sequence. The target program is the execution trajectory of a suspicious or normal program extracted from the low-dimensional key feature vector from the actual running environment (such as sandbox logs, process behavior monitoring). The target program extraction and the disassembly use conventional techniques, so they will not be elaborated here. For each instruction sequence, the opcode and operand type information are extracted from the instruction sequence, the frequency of the opcode is counted, and the instruction n-gram sequence is obtained. The frequency of the opcode and the instruction n-gram sequence are encoded into a fixed-dimensional numerical vector as the feature of the candidate instruction sequence. The importance score of the feature of the candidate instruction sequence is calculated. ,in, and Given preset weight coefficients, the sequence complexity is... The frequency distribution entropy value (Shannon entropy) of the opcode, and the mode discrimination. The sum of the distances between the candidate instruction sequence features and other candidate instruction sequence features; select candidate instruction sequence features whose importance score is greater than or equal to a preset threshold as instruction sequence features.

[0172] Specifically, in step S1062, the low-dimensional key feature vector is run in a sandbox, and the various running behaviors of the low-dimensional key feature vector are monitored to obtain the frequency statistical features (second frequency statistical features), n-gram sequence features (second n-gram sequence features), and behavior type distribution features (second behavior type distribution features) of each running behavior. The running behaviors may include file operation behaviors, registry modification behaviors, process management behaviors, memory allocation behaviors, and network communication behaviors, etc. For each running behavior, the second frequency statistical features, second n-gram sequence features, and second behavior type distribution features are normalized. Then, the normalized second frequency statistical features, second n-gram sequence features, and second behavior type distribution features are concatenated according to preset rules to form candidate behavior pattern features. The process of obtaining candidate behavior pattern features in step S1062 can refer to the process of obtaining dynamic features in step S103 above. Then, the pattern feature score of the candidate behavior pattern features is calculated. ,in, and The preset weighting coefficients represent the frequency of actions. The normalized number of times the described behavior occurs within a preset time window. The preset hazard level is based on expert annotation; candidate behavioral pattern features with a pattern feature score greater than or equal to a preset threshold are selected as the behavioral pattern features.

[0173] Specifically, in step S1063, the low-dimensional key feature vector is parsed to obtain the PE file header information. The numerical attributes of the sections within the obtained PE file header information are extracted. Sections are segments defined by the section table in the PE file. Each section contains data or code of a specified type and has an independent name, size, virtual address, entropy value, permissions, etc. The numerical attributes of the sections include quantity, size, entropy value, and the number of high-risk APIs. Based on these numerical attributes, candidate file structure features are formed. Specifically, each numerical attribute is normalized and combined into a vector to obtain the candidate file structure features. Then, the feature score of the candidate file structure features is calculated. ,in, and The weighting coefficients are preset, and the structural complexity is... The entropy of the PE file structure (Shannon entropy). This is the deviation of the candidate file structure features from normal samples (prepared and stored in advance); candidate file structure features with feature scores greater than or equal to a preset threshold are selected as file structure features. Candidate file structure features with feature scores less than the preset threshold can be regarded as malicious file structure features, thereby detecting disguised or hidden malicious behavior.

[0174] Specifically, in step S1064, a weighted sum of instruction sequence features, behavior pattern features, and file structure features is calculated to obtain a comprehensive feature. Simultaneously, an importance score for the comprehensive feature can be calculated. , , , The preset weighting coefficients represent the contribution ratios of instruction sequence features, behavioral pattern features, and file structure features to the overall features, respectively.

[0175] Specifically, in step S107, a multi-scale convolutional kernel structure is designed. This structure contains multiple convolutional computation channels (e.g., N), each channel employing a convolutional algorithm with a different kernel size to extract features at different levels of the comprehensive features. The convolutional algorithm can use a conventional convolutional algorithm, with the only difference in the convolutional computation of each channel being the kernel size. Each channel performs convolutional computation on the comprehensive features to obtain N feature maps.

[0176] Specifically, in step S108, the N feature maps are normalized to ensure they have the same scale and distribution. This normalization can be achieved using batch normalization or layer normalization. The normalized N feature maps are then processed using an activation function (e.g., ReLU activation function) to obtain N intermediate feature maps. These N intermediate feature maps are then pooled to obtain N pooled feature maps. Finally, a weighted sum of the N pooled feature maps is calculated. This yields multi-scale feature maps, where... For the i-th pooling feature map, This is the i-th preset weight coefficient.

[0177] Specifically, in step S109, the malicious code is classified using a pre-trained classification model, with the multi-scale feature map obtained from the malicious code data as input.

[0178] It should be noted that steps S102-S109 are performed on each piece of malicious code data in the collected multi-source malicious code data, and in the following training of the classification model, they are also performed on each piece of malicious code sample data in the training set.

[0179] Figure 2 A flowchart illustrating another implementation of the malicious code classification method of this application is shown, such as... Figure 2 As shown, the malicious code classification method of the second embodiment of this application includes:

[0180] Step S201: Collect multi-source malicious code data, convert the multi-source malicious code data into a unified format, and obtain standardized malicious code data;

[0181] Step S202: Extract the static features of the standardized malicious code data, including instruction flow features, structural features, and code pattern features;

[0182] Step S203: Extract the dynamic features of the standardized malicious code data, wherein the dynamic features are the behavioral characteristics of the standardized malicious code data when running in the sandbox;

[0183] Step S204: Based on the static and dynamic features, a high-dimensional feature vector is obtained;

[0184] Step S205: Select key sub-feature vectors from the high-dimensional feature vectors and reduce the dimensionality of the key sub-feature vectors to obtain low-dimensional key sub-feature vectors;

[0185] Step S206: Extract instruction sequence features, behavior pattern features, and file structure features from the low-dimensional key feature vector, and calculate the weighted sum of the instruction sequence features, behavior pattern features, and file structure features to obtain the comprehensive features;

[0186] Step S207: Perform convolution calculations on the comprehensive features using N convolution algorithms to obtain N feature maps, wherein the kernel sizes of the N convolution algorithms are all different;

[0187] Step S208: Obtain a multi-scale feature map based on the N feature maps;

[0188] Step S209: Using the multi-scale feature map as input, perform malware classification using a pre-trained classification model;

[0189] Step S2010: Train the classification model using the training set. The classification model can be a deep network combining a multi-scale convolutional neural network (CNN) and fully connected layers. For example, the classification model may specifically include: an input layer for receiving multi-scale feature maps; a multi-branch convolutional layer for extracting features using convolutional kernels of different sizes; a feature fusion layer for weighted fusion of the outputs of each branch; a fully connected layer for making classification decisions; and an output layer for outputting the classification result, such as the probability of belonging to the malicious code category.

[0190] Step S2011: Generate adversarial sample data based on the malicious code sample data in the training set, wherein the multi-scale feature map of the adversarial sample data... ,in, The multi-scale feature map of the malicious code sample data. ,in, The preset disturbance intensity, for gradient, y is the true classification label of the malicious code sample data. The output function of the classification model. These represent the weights and biases of the convolutional neural network in the classification model.

[0191] Step S2012: Add the adversarial example data to the training set to obtain a comprehensive training set, and use the comprehensive training set to train the classification model;

[0192] Step S2013: Adjust the perturbation intensity according to the generalization ability score of the classification model to obtain a new perturbation intensity, and the generalization ability score... ,in, and The preset weighting coefficients determine the classification accuracy. robustness against ;

[0193] Step S2014: Regenerate the adversarial sample data using the new perturbation intensity, add the adversarial sample data to the training set to obtain a comprehensive training set, and train the classification model using the comprehensive training set.

[0194] Specifically, steps S201-S109 can be referred to steps S101-S109.

[0195] Specifically, in step S2010, a classification model is trained using malicious code sample data from the training set, wherein the training set consists of pre-collected multi-source malicious code sample data, and the training objective can be to make the malicious code sample data from the training set more widely used. Minimize, where, Let M be the true classification label of the j-th malicious code sample data, and M be the number of malicious code sample data. This is the multi-scale feature map corresponding to the j-th malware sample data. This indicates that the multi-scale feature map After inputting the classification model, the obtained prediction output value is the probability that the malicious code sample data belongs to the malicious code category. The weights and biases of the convolutional neural network in the classification model are given. This represents the weights and biases; in actual calculations, the values ​​of the two parameters, weight and bias, are substituted into the input. The corresponding parameters in.

[0196] Specifically, in step S2011, to improve the robustness of the classification model to positional attacks, adversarial example data can be introduced into the training set. Specifically, perturbations are introduced into the multi-scale feature maps of the malicious code sample data in the training set to obtain multi-scale feature maps of the adversarial example data. Correspondingly, the adversarial example data can be inversely calculated from the multi-scale features of the adversarial example data. The multi-scale feature maps of the adversarial example data... ,in, The multi-scale feature map of the malicious code sample data. ,in, The preset disturbance intensity, for gradient, y represents the true classification label of the malicious code sample data. This is the output function of the classification model.

[0197] Specifically, in step S2013, adversarial example data is added to the training set to obtain a comprehensive training set, which is then used to train the classification model. Specifically, in one possible implementation, when training the classification model using the comprehensive training set, the multi-scale feature maps of the adversarial example data are obtained. Multi-scale feature maps of malware sample data After that, not directly and Instead of using it as input to train the classification model, we first... and After fusing the multi-scale features, these features are used as input to the classification model to train it. Specifically, the multi-scale features are fused. ,in, and These are preset weight coefficients. In one possible implementation, adversarial sample data may not be generated; instead, perturbations are added to the multi-scale feature maps of the malware sample data, which are then used as input to the classification model for training.

[0198] Specifically, in steps S2014 and S2015, to optimize the adversarial example generation effect and further improve the accuracy of the classification model, the perturbation intensity can be adjusted based on the generalization ability score of the classification model after a certain number of training cycles to obtain a new perturbation intensity. The generalization ability score... , and The preset weighting coefficients determine the classification accuracy. robustness against For example, if the generalization ability score is lower than a preset threshold, the perturbation emphasis is continuously adjusted, and the generalization ability score is observed. If the generalization ability score increases, the adjustment is effective. Then, adversarial example data is regenerated using the new perturbation intensity, and the adversarial example data is added to the training set to obtain a comprehensive training set. The classification model is then trained using the comprehensive training set.

[0199] The malware classification method provided in this application, through systematic data preprocessing, feature engineering, and model training, accurately extracts core features and comprehensively captures the static and dynamic characteristics of malware. It effectively solves the problems of heterogeneous and inconsistent distribution of malware data, improves classification accuracy and generalization ability, adapts to multiple scenario requirements, and achieves efficient and robust malware classification. Furthermore, by integrating a multi-scale feature extraction framework with a dynamic adversarial training mechanism, it enhances the ability to resist unknown malware and adversarial attacks. Compared to traditional signature classification methods and single-feature machine learning models, it can effectively address complex malware threats, reduce false positive and false negative rates, and improve network security protection levels.

[0200] A second aspect of this application provides a malicious code classification system. Figure 3 A structural block diagram of one embodiment of the malicious code classification system of this application is shown, such as... Figure 3 As shown, the malicious code classification system of the third embodiment of this application includes:

[0201] The acquisition module 301 is used to acquire multi-source malicious code data, convert the multi-source malicious code data into a unified format, and obtain standardized malicious code data.

[0202] The static feature extraction module 302 is used to extract static features from the standardized malicious code data, wherein the static features include instruction flow features, structural features and code pattern features.

[0203] The dynamic feature extraction module 303 extracts the dynamic features of the standardized malicious code data, wherein the dynamic features are the behavioral characteristics of the standardized malicious code data when running in the sandbox.

[0204] The high-dimensional feature acquisition module 304 is used to obtain a high-dimensional feature vector based on the static and dynamic features.

[0205] The key feature acquisition module 305 filters out key sub-feature vectors from the high-dimensional feature vectors and reduces the dimensionality of the key sub-feature vectors to obtain low-dimensional key sub-feature vectors.

[0206] Key feature parsing module 306 is used to extract instruction sequence features, behavior pattern features and file structure features from the low-dimensional key sub-feature vector;

[0207] The feature synthesis module 307 is used to calculate the weighted sum of the instruction sequence features, the behavior pattern features, and the file structure features to obtain the synthesized features;

[0208] The multi-scale convolution module 308 is used to perform convolution calculations on the comprehensive features using N convolution algorithms to obtain N feature maps, wherein the convolution kernel sizes of the N convolution algorithms are different.

[0209] Multi-scale fusion module 309 is used to obtain multi-scale feature maps based on the N feature maps;

[0210] The classification module 3010 is used to classify malicious code using a pre-trained classification model with the multi-scale feature map as input.

[0211] Specifically, the static feature extraction module is used for:

[0212] Code segment data is extracted from the standardized malicious code data, the code segment data is disassembled to obtain an opcode sequence, and an instruction stream feature vector is obtained based on the opcode sequence;

[0213] The standardized malicious code data is parsed to obtain multiple segment data, the structural parameters of each segment data are calculated, and a structural feature vector is obtained based on the structural parameters. The structural parameters include size, entropy value and structural integrity parameter. The multiple segment data includes PE file header, segment table, import table and export table.

[0214] The standardized malicious code data is divided into multiple basic blocks. Based on the statistical and classification features of the multiple basic blocks, a code feature vector is generated. Each basic block has only one entry point and only one exit point.

[0215] The instruction flow feature vector, the structure feature vector, and the code feature vector are normalized, and the normalized instruction flow feature vector, the structure feature vector, and the code feature vector are concatenated to form the static feature.

[0216] Specifically, the dynamic feature extraction module is used for:

[0217] The standardized malicious code data is run in a sandbox, and various running behaviors of the standardized malicious code data are monitored to obtain the first frequency statistical characteristics, the first n-gram sequence characteristics, and the first behavior type distribution characteristics of the various running behaviors. The running behaviors include API call behavior, system call behavior, memory allocation behavior, file and registry operation behavior, and network communication behavior.

[0218] The first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature are normalized, and the normalized first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature are concatenated to form the dynamic feature.

[0219] Specifically, the high-dimensional feature acquisition module is used for:

[0220] The static features and the dynamic features are vectorized respectively to obtain static feature vector S and dynamic feature vector D, and the high-dimensional feature vector... ,in and These are the preset weighting coefficients.

[0221] Specifically, the key feature acquisition module is used for:

[0222] Calculate the statistical correlation index between each feature dimension in the high-dimensional feature vector and the corresponding sample category label, and calculate the feature importance value of each feature dimension based on the pre-trained tree model; ,in, Let i be the feature importance value of the i-th feature. The statistical correlation index represents the relationship between the i-th feature and its corresponding sample category label. This statistical correlation index is a weighted sum of the mutual information, information gain, variance, and chi-square statistic between the i-th feature and its corresponding sample category label. This represents the feature value of the i-th dimension in the pre-trained tree model. and The weights are preset; based on the feature importance values, each feature dimension is sorted, and the top q features are selected and concatenated to form the sub-feature vector, where q is preset; the representativeness score of the sub-feature vector is calculated. ,in, and The preset weighting coefficients and information content The sum of the Shannon entropy values ​​of each dimension of the sub-feature vector, representing the classification correlation. Mutual information between the sub-feature vector and the sample category label

[0223] Select the sub-feature vectors whose representative scores are greater than or equal to a preset threshold as key sub-feature vectors;

[0224] The key feature vector is reduced in dimensionality to obtain a low-dimensional key feature vector.

[0225] In one possible implementation, the key feature acquisition module uses principal component analysis to reduce the dimensionality of the key sub-feature vectors to obtain low-dimensional key sub-feature vectors.

[0226] In one possible implementation, the key feature parsing module may include:

[0227] The instruction sequence feature extraction submodule is used to extract instruction sequence features from the low-dimensional key sub-feature vector;

[0228] A behavior pattern feature extraction submodule is used to extract behavior pattern features from the low-dimensional key sub-feature vector; and,

[0229] The file structure feature extraction submodule is used to extract file structure features from the low-dimensional key sub-feature vector.

[0230] Specifically, the instruction sequence feature extraction submodule is used for: extracting the target program from the low-dimensional key sub-feature vector; disassembling the target program to obtain instruction sequences; for each instruction sequence, extracting opcode and operand type information from the instruction sequence, counting the frequency of the opcode and obtaining the instruction n-gram sequence, encoding the frequency of the opcode and the instruction n-gram sequence into a fixed-dimensional numerical vector as candidate instruction sequence features; and calculating the importance score of the candidate instruction sequence features. ,in, and Given preset weight coefficients, the sequence complexity is... The frequency distribution entropy value of the opcode, and the mode discrimination degree. The sum of the distances between the candidate instruction sequence features and other candidate instruction sequence features; the candidate instruction sequence features whose importance score is greater than or equal to a preset threshold are selected as the instruction sequence features.

[0231] Specifically, the behavior pattern feature extraction submodule is used to: run the low-dimensional key sub-feature vector in a sandbox, monitor each running behavior of the low-dimensional key sub-feature vector, and obtain the second frequency statistical feature, second n-gram sequence feature, and second behavior type distribution feature of each running behavior, wherein the running behavior includes file operation behavior, registry modification behavior, process management behavior, memory allocation behavior, and network communication behavior; for each running behavior, normalize the second frequency statistical feature, second n-gram sequence feature, and second behavior type distribution feature, and concatenate the normalized second frequency statistical feature, second n-gram sequence feature, and second behavior type distribution feature to form a candidate behavior pattern feature; and calculate the pattern feature score of the candidate behavior pattern feature. ,in, and The preset weighting coefficients represent the frequency of actions. The normalized number of times the described behavior occurs within a preset time window. The preset hazard level is based on expert annotation; the candidate behavioral pattern features whose pattern feature scores are greater than or equal to a preset threshold are selected as the behavioral pattern features.

[0232] Specifically, the file structure feature extraction submodule is used to: parse the low-dimensional key sub-feature vector to obtain PE file header information; extract the numerical attributes of the sections of the PE file header information, the numerical attributes including quantity, size, entropy value, and number of high-risk APIs; form candidate file structure features based on the numerical attributes; and calculate the feature score of the candidate file structure features. ,in, and The weighting coefficients are preset, and the structural complexity is... The entropy of the PE file structure, It is the deviation of the candidate file structure features from normal samples; the candidate file structure features whose feature scores are greater than or equal to a preset threshold are selected as the file structure features.

[0233] Specifically, the multi-scale fusion module is used to: normalize the N feature maps so that the scale and distribution of the N feature maps are the same; calculate the N intermediate feature maps by using an activation function (e.g., ReLU activation function); pool the N intermediate feature maps to obtain N pooled feature maps; and calculate the weighted sum of the N pooled feature maps. The multi-scale feature map is obtained, wherein, For the i-th pooling feature map, This is the i-th preset weight coefficient.

[0234] Figure 4 A structural block diagram of another embodiment of the malicious code classification and identification system of this application is shown, such as... Figure 4 As shown, the malicious code classification system of the fourth embodiment of this application includes:

[0235] The acquisition module 401 is used to acquire multi-source malicious code data, convert the multi-source malicious code data into a unified format, and obtain standardized malicious code data.

[0236] The static feature extraction module 402 is used to extract static features from the standardized malicious code data, wherein the static features include instruction flow features, structural features and code pattern features.

[0237] The dynamic feature extraction module 403 extracts the dynamic features of the standardized malicious code data, wherein the dynamic features are the behavioral characteristics of the standardized malicious code data when running in the sandbox.

[0238] The high-dimensional feature acquisition module 404 is used to obtain a high-dimensional feature vector based on the static and dynamic features.

[0239] The key feature acquisition module 405 filters out key sub-feature vectors from the high-dimensional feature vectors and reduces the dimensionality of the key sub-feature vectors to obtain low-dimensional key sub-feature vectors.

[0240] Key feature parsing module 406 is used to extract instruction sequence features, behavior pattern features and file structure features from the low-dimensional key sub-feature vector;

[0241] The feature synthesis module 407 is used to calculate the weighted sum of the instruction sequence features, the behavior pattern features, and the file structure features to obtain the synthesized features;

[0242] The multi-scale convolution module 408 is used to perform convolution calculations on the comprehensive features using N convolution algorithms to obtain N feature maps, wherein the convolution kernel sizes of the N convolution algorithms are different.

[0243] The multi-scale fusion module 409 is used to obtain a multi-scale feature map based on the N feature maps;

[0244] The classification module 4010 is used to classify malicious code using a pre-trained classification model with the multi-scale feature map as input.

[0245] The classification model training module 4011 is used to train the classification model using a training set.

[0246] Specifically, the classification model training module is used for:

[0247] The multi-scale feature map of the malware sample data in the training set is calculated, and the multi-scale feature map of the malware sample data is used as the input of the classification model, with a loss function... Minimize the target value to train the classification model, where, Let M be the true classification label of the j-th malicious code sample data, and M be the number of malicious code sample data. This is the multi-scale feature map corresponding to the j-th malware sample data. This indicates that the multi-scale feature map After inputting the classification model, the obtained prediction output value is the probability that the malicious code sample data belongs to the malicious code category. These represent the weights and biases of the convolutional neural network in the classification model.

[0248] In one possible implementation, the classification model training module is further configured to:

[0249] Adversarial sample data is generated based on the malicious code sample data in the training set, and the multi-scale feature map of the adversarial sample data... ,in, The multi-scale feature map of the malicious code sample data. ,in, The preset disturbance intensity, for gradient, y is the true classification label of the malicious code sample data. The output function of the classification model;

[0250] The adversarial sample data is added to the training set to obtain a comprehensive training set, which is then used to train the classification model.

[0251] Specifically, when training the classification model using the comprehensive training set, the training model is specifically used to: calculate fused multi-scale features. ,in, and The preset weighting coefficients are used to fuse the multi-scale features. The classification model is trained by using the input of the input.

[0252] In one possible implementation of complex numerical values, the classification model training module is further used for:

[0253] The perturbation intensity is adjusted based on the generalization ability score of the classification model to obtain a new perturbation intensity, and the generalization ability score is... ,in, and The preset weighting coefficients determine the classification accuracy. robustness against ;

[0254] The adversarial sample data is regenerated using the new perturbation intensity, and then added to the training set to obtain a comprehensive training set. The classification model is then trained using the comprehensive training set.

[0255] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process and related descriptions of the system described above can be referred to the corresponding processes in the foregoing method embodiments, and therefore will not be repeated here.

[0256] The malicious code classification system provided in this application extracts core features and captures the static and dynamic characteristics of malicious code through systematic data preprocessing, feature engineering, and model training. It solves the problem of data heterogeneity, improves classification accuracy, generalization ability, and adaptability, and achieves efficient and robust classification. Furthermore, it can integrate multi-scale feature extraction and dynamic adversarial training to enhance the ability to resist unknown attacks, overcome the shortcomings of traditional methods, cope with complex malicious code threats, reduce false positive and false negative rates, and improve the level of network security protection.

[0257] It should be noted that the malicious code classification system provided in the above embodiments is only an example of the division of the above functional modules. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the modules or steps in the embodiments of this application can be further decomposed or combined. For example, the modules in the above embodiments can be merged into one module, or further split into multiple sub-modules to complete all or part of the functions described above. The names of the modules and steps involved in the embodiments of this application are only for distinguishing the various modules or steps and are not considered as an improper limitation of this application.

[0258] In a third aspect of this application, an electronic device is also provided, the electronic device comprising: at least one processor; and a memory communicatively connected to at least one of the processors; wherein the memory stores instructions executable by the processor, the instructions being executed by the processor to implement the above-described malicious code classification method.

[0259] In a fourth aspect of this application, a computer-readable storage medium is also provided, the computer-readable storage medium storing computer instructions for execution by the computer to implement the above-described malicious code classification method.

[0260] In a fifth aspect of this application, a computer program product comprising instructions is also provided, which, when executed by a computer device, cause the computer device to perform the malicious code classification method described above.

[0261] Those skilled in the art will recognize that the modules and method steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. The programs corresponding to the software modules and method steps can be placed in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disks, removable disks, CD-ROMs, or any other form of storage medium known in the art. To clearly illustrate the interchangeability of electronic hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in electronic hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0262] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0263] The terms “first”, “second”, etc., are used to distinguish similar objects, not to describe or indicate a specific order or sequence.

[0264] The term "comprising" or any other similar term is intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus / device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent in such process, method, article, or apparatus / device.

[0265] The technical solution of the present invention has been described above with reference to the preferred embodiments shown in the accompanying drawings. However, it will be readily understood by those skilled in the art that the scope of protection of the present invention is obviously not limited to these specific embodiments. Without departing from the principles of the present invention, those skilled in the art can make equivalent changes or substitutions to the relevant technical features, and the technical solutions after these changes or substitutions will all fall within the scope of protection of the present invention.

Claims

1. A method for classifying malicious code, characterized in that, include: Collect multi-source malware data, convert the multi-source malware data into a unified format, and obtain standardized malware data; Extract static features from the standardized malicious code data, including instruction flow features, structural features, and code pattern features; Extract the dynamic features of the standardized malicious code data, where the dynamic features are the behavioral characteristics of the standardized malicious code data when running in a sandbox. Based on the static and dynamic features, a high-dimensional feature vector is obtained; Key sub-feature vectors are selected from the high-dimensional feature vectors, and the dimensionality of the key sub-feature vectors is reduced to obtain low-dimensional key sub-feature vectors. Instruction sequence features, behavior pattern features, and file structure features are extracted from the low-dimensional key sub-feature vectors, and a weighted sum of the instruction sequence features, behavior pattern features, and file structure features is calculated to obtain a comprehensive feature. The comprehensive features are convolved using N convolution algorithms to obtain N feature maps, and the kernel sizes of the N convolution algorithms are all different. A multi-scale feature map is obtained based on the N feature maps; Using the multi-scale feature map as input, a pre-trained classification model is used to classify malicious code.

2. The method as described in claim 1, characterized in that, The extraction of static features from the standardized malicious code data includes: Code segment data is extracted from the standardized malicious code data, the code segment data is disassembled to obtain an opcode sequence, and an instruction stream feature vector is obtained based on the opcode sequence; The standardized malicious code data is parsed to obtain multiple segment data, the structural parameters of each segment data are calculated, and a structural feature vector is obtained based on the structural parameters. The structural parameters include size, entropy value and structural integrity parameter. The multiple segment data includes PE file header, segment table, import table and export table. The standardized malicious code data is divided into multiple basic blocks. Based on the statistical and classification features of the multiple basic blocks, a code feature vector is generated. Each basic block has only one entry point and only one exit point. The instruction flow feature vector, the structure feature vector, and the code feature vector are normalized, and the normalized instruction flow feature vector, the structure feature vector, and the code feature vector are concatenated to form the static feature.

3. The method as described in claim 1, characterized in that, The extraction of dynamic features from the standardized malicious code data includes: The standardized malicious code data is run in a sandbox, and various running behaviors of the standardized malicious code data are monitored to obtain the first frequency statistical characteristics, the first n-gram sequence characteristics, and the first behavior type distribution characteristics of the various running behaviors. The running behaviors include API call behavior, system call behavior, memory allocation behavior, file and registry operation behavior, and network communication behavior. The first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature are normalized, and the normalized first frequency statistical feature, the first n-gram sequence feature, and the first behavior type distribution feature are concatenated to form the dynamic feature.

4. The method as described in claim 1, characterized in that, The process of obtaining a high-dimensional feature vector based on the static and dynamic features includes: The static features and dynamic features are vectorized respectively to obtain static feature vector S and dynamic feature vector D, and the high-dimensional feature vector... ,in and These are preset weighting coefficients; The step of filtering key sub-feature vectors from the high-dimensional feature vectors includes: Calculate the statistical correlation index between each feature dimension in the high-dimensional feature vector and the corresponding sample category label, and calculate the feature importance value of each feature dimension based on the pre-trained tree model; ; in, Let i be the feature importance value of the i-th feature. The statistical correlation index represents the relationship between the i-th feature and its corresponding sample category label. This statistical correlation index is a weighted sum of the mutual information, information gain, variance, and chi-square statistic between the i-th feature and its corresponding sample category label. This represents the feature value of the i-th dimension in the pre-trained tree model. and These are pre-set weighting coefficients; Based on the feature importance value, each feature dimension is sorted, and the features ranked in the top q positions are selected and concatenated to form the sub-feature vector, where q is preset. Calculate the representative score of the sub-feature vector. ,in, and The preset weighting coefficients and information content The sum of the entropy values ​​of each dimension of the sub-feature vector, representing the classification correlation. The mutual information between the sub-feature vector and the sample category label; Select the sub-feature vectors whose representative scores are greater than or equal to a preset threshold as key sub-feature vectors.

5. The method as described in claim 4, characterized in that, Extracting instruction sequence features from the low-dimensional key feature vector includes: The target program is extracted from the low-dimensional key feature vector; the target program is disassembled to obtain the instruction sequence; For each instruction sequence, the opcode and operand type information are extracted from the instruction sequence, the frequency of the opcode is counted and the instruction n-gram sequence is obtained, and the frequency of the opcode and the instruction n-gram sequence are encoded into a fixed-dimensional numerical vector as the feature of the candidate instruction sequence. Calculate the importance score of the features of the candidate instruction sequence. ,in, and Given preset weight coefficients, the sequence complexity is... The frequency distribution entropy value of the opcode, and the mode discrimination degree. The sum of the distances between the candidate instruction sequence features and other candidate instruction sequence features; Select the candidate instruction sequence features whose importance score is greater than or equal to a preset threshold as the instruction sequence features; The step of extracting behavioral pattern features from the low-dimensional key sub-feature vector includes: The low-dimensional key feature vector is run in a sandbox, and the various running behaviors of the low-dimensional key feature vector are monitored to obtain the second frequency statistical features, the second n-gram sequence features and the second behavior type distribution features of each running behavior. The running behaviors include file operation behavior, registry modification behavior, process management behavior, memory allocation behavior and network communication behavior. For each running behavior, the second frequency statistical feature, the second n-gram sequence feature, and the second behavior type distribution feature are normalized, and the normalized second frequency statistical feature, the second n-gram sequence feature, and the second behavior type distribution feature are concatenated to form the candidate behavior pattern feature; Calculate the pattern feature score of the candidate behavior pattern features. ,in, and The preset weighting coefficients represent the frequency of actions. The normalized number of times the described behavior occurs within a preset time window. The hazard level is a preset level based on expert annotations; Select the candidate behavioral pattern features whose pattern feature scores are greater than or equal to a preset threshold as the behavioral pattern features; The extraction of file structure features from the low-dimensional key sub-feature vector includes: The low-dimensional key feature vector is parsed to obtain the PE file header information. The numerical attributes of the sections of the PE file header information are extracted. The numerical attributes include the number, size, entropy value and the number of high-risk APIs. The candidate file structure features are formed based on the numerical attributes. Calculate the feature score of the structural features of the candidate files. ,in, and The weighting coefficients are preset, and the structural complexity is... The entropy of the PE file structure, It is the deviation of the structural features of the candidate file from those of normal samples; The candidate file structure features whose feature scores are greater than or equal to a preset threshold are selected as the file structure features.

6. The method as described in claim 1, characterized in that, The process of obtaining multi-scale feature maps based on the N feature maps includes: The N feature maps are normalized so that the scale and distribution of the N feature maps are the same; The activation function is used to calculate the N normalized feature maps to obtain N intermediate feature maps; The N intermediate feature maps are pooled to obtain N pooled feature maps; Calculate the weighted sum of the N pooling feature maps. The multi-scale feature map is obtained, wherein, For the i-th pooling feature map, For the i-th preset weight coefficient.

7. The method as described in claim 1, characterized in that, It also includes training the classification model using a training set, wherein training the classification model using a training set includes: The multi-scale feature map of the malware sample data in the training set is calculated, and the multi-scale feature map of the malware sample data is used as the input of the classification model, with a loss function... Minimize the target value to train the classification model, where, Let M be the true classification label of the j-th malicious code sample data, and M be the number of malicious code sample data. For the multi-scale feature map corresponding to the j-th malware sample data, This indicates that the multi-scale feature map After inputting the classification model, the obtained prediction output value is the probability that the malicious code sample data belongs to the malicious code category. These represent the weights and biases of the convolutional neural network in the classification model.

8. The method as described in claim 7, characterized in that, Also includes: Adversarial sample data is generated based on the malicious code sample data in the training set, and the multi-scale feature map of the adversarial sample data... ,in, The multi-scale feature map of the malicious code sample data. ,in, The preset disturbance intensity, for gradient, y is the true classification label of the malicious code sample data. The output function of the classification model; The adversarial sample data is added to the training set to obtain a comprehensive training set, and the classification model is trained using the comprehensive training set. Training the classification model using the comprehensive training set includes: Computational fusion of multi-scale features ,in, and The preset weighting coefficients are used to fuse the multi-scale features. The classification model is trained by using the input of the input.

9. The method as described in claim 8, characterized in that, Also includes: The perturbation intensity is adjusted based on the generalization ability score of the classification model to obtain a new perturbation intensity, and the generalization ability score is... ,in, and The preset weighting coefficients determine the classification accuracy. robustness against ; The adversarial sample data is regenerated using the new perturbation intensity, and then added to the training set to obtain a comprehensive training set. The classification model is then trained using the comprehensive training set.

10. A malicious code classification system, characterized in that, include: The acquisition module is used to collect multi-source malicious code data and convert the multi-source malicious code data into a unified format to obtain standardized malicious code data. A static feature extraction module is used to extract static features from the standardized malicious code data, wherein the static features include instruction flow features, structural features, and code pattern features. The dynamic feature extraction module extracts the dynamic features of the standardized malicious code data, wherein the dynamic features are the behavioral characteristics of the standardized malicious code data when running in the sandbox. A high-dimensional feature acquisition module is used to obtain a high-dimensional feature vector based on the static and dynamic features; The key feature acquisition module filters out key sub-feature vectors from the high-dimensional feature vectors and reduces the dimensionality of the key sub-feature vectors to obtain low-dimensional key sub-feature vectors. The key feature parsing module is used to extract instruction sequence features, behavior pattern features, and file structure features from the low-dimensional key sub-feature vectors. The feature synthesis module is used to calculate the weighted sum of the instruction sequence features, the behavior pattern features, and the file structure features to obtain the synthesized features; A multi-scale convolution module is used to perform convolution calculations on the comprehensive features using N convolution algorithms to obtain N feature maps, wherein the convolution kernel sizes of the N convolution algorithms are all different; A multi-scale fusion module is used to obtain a multi-scale feature map based on the N feature maps; The classification module is used to classify malicious code using a pre-trained classification model, taking the multi-scale feature map as input.